Abstract
The security of the Norwegian Internet voting system depends strongly on the implemented verification code mechanism, which allows voters to verify if their vote has been cast and recorded as intended. For this to work properly, a secure and independent auxiliary channel for transmitting the verification codes to the voters is required. The Norwegian system assumes that SMS satisfies the necessary requirements for such a channel. This paper demonstrates that this is no longer the case today. If voters use smartphones or tablet computers for receiving SMS messages, a number of new attack scenarios appear. We show how an adversary may exploit these scenarios in systems providing vote updating and point out the consequences for the vote integrity in the Norwegian system. We also give a list of possible counter-measures and system enhancements to prevent and detect such attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ansper, A., Heiberg, S., Lipmaa, H., Øverland, T.A., van Laenen, F.: Security and trust for the Norwegian e-voting pilot project E-Valg 2011. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 207–222. Springer, Heidelberg (2009)
Benzmüller, R.: MalwareReport: Half-yearly report (January-June 2012). Tech. rep., G Data SecurityLabs (2012)
Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan, P.Y.A., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II: End-to-end verifiability by voters of optical scan elections through confirmation codes. IEEE Transactions on Information Forensics and Security 4(4), 611–627 (2009)
Chevallier, M., Warynski, M., Sandoz, A.: Success factors of Geneva’s e-voting system. Electronic Journal of e-Government 4(2), 71–78 (2006)
Cortier, V., Wiedling, C.: A formal analysis of the Norwegian E-voting protocol. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 109–128. Springer, Heidelberg (2012)
Gebhardt Stenerud, I.S., Bull, C.: When reality comes knocking–Norwegian experiences with verifiable electronic voting. In: 5th International Workshop on Electronic Voting, EVOTE 2012, Bregenz, Austria, pp. 21–33 (2012)
Gjøsteen, K.: Analysis of an internet voting protocol. IACR Cryptology ePrint Archive 2010/380 (2010)
Haenni, R., Koenig, R.E.: Voting over the Internet on an insecure platform. In: Design, Development, and Use of Secure Electronic Voting Systems. IGI Global (accepted, 2013)
Heiberg, S., Lipmaa, H., van Laenen, F.: On e-vote integrity in the case of malicious voter computers. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 373–388. Springer, Heidelberg (2010)
Helbach, J., Schwenk, J.: Secure internet voting with code sheets. In: Alkassar, A., Volkamer, M. (eds.) VOTE-ID 2007. LNCS, vol. 4896, pp. 166–177. Springer, Heidelberg (2007)
Helbach, J., Schwenk, J., Schäge, S.: Code voting with linkable group signatures. In: Krimmer, R., Grimm, R. (eds.) 3rd International Workshop on Electronic Voting, EVOTE 2008. Lecture Notes in Informatics, vol. P-131, pp. 209–222. Gesellschaft für Informatik E.V., Bregenz (2008)
Hubacher, I.: Management Demo: Intercepting SMS. Bachelor thesis, Bern University of Applied Sciences, Biel, Switzerland (2011)
Joaquim, R., Ribeiro, C., Ferreira, P.: Improving remote voting security with codeVoting. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 310–329. Springer, Heidelberg (2010)
Kalige, E., Burkey, D.: A case study of Eurograbber: How 36 million euros was stolen via malware. Tech. rep., Versafe & Check Point Software Technologie (2012)
Klaus, S., Brei, D.: Sicherheit von E-Banking auf Smart-Platforms. Bachelor thesis, Bern University of Applied Sciences, Biel, Switzerland (2013)
Lipmaa, H.: Two simple code-verification voting protocols. IACR Cryptology ePrint Archive 2011/317 (2011)
Meyer, U., Wetzel, S.: On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks. In: 15th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC 2004, Barcelona, Spain, vol. 4, pp. 2876–2883 (2004)
Øberg, M.W.: Improving the Norwegian Internet Voting Protocol. Master’s thesis, Norwegian University of Science and Technology (2011)
Oppliger, R., Schwenk, J., Helbach, J.: Protecting code voting against vote selling. In: 4. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V., Sicherheit 2008, Saarbrücken, Germany, pp. 193–204 (2008)
Perez, D., Pico, J.: A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. White paper, Taddong S.L. (2011)
Ryan, P.Y.A.: Prêt à voter with confirmation codes. In: Shacham, H., Teague, V. (eds.) Electronic Voting Technology Workshop/Workshop on Trustworthy Elections, EVT/WOTE 2011, San Francisco, USA (2011)
Ryan, P.Y.A., Teague, V.: Pretty good democracy. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 111–130. Springer, Heidelberg (2013)
Schläpfer, M., Volkamer, M.: The secure platform problem: Taxonomy and analysis of existing proposals to address this problem. In: 6th International Conference on Theory and Practice of Electronic Governance, ICEGOV 2012, Albany, USA (2012)
Song, Y., Zhou, K., Chen, X.: Fake BTS attacks of GSM system on software radio platform. Journal of Networks 7(2), 275–281 (2012)
Spycher, O., Volkamer, M., Koenig, R.: Transparency and technical measures to establish trust in Norwegian Internet voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 19–35. Springer, Heidelberg (2012)
van den Broek, F.: Catching and Understanding GSM-Signals. Master’s thesis, Radboud University Nijmegen (2010)
von Bergen, P.: Analyse du code source de l’application d’e-voting de Genève. Project report, Bern University of Applied Sciences, Biel, Switzerland (2013)
Weigold, T., Hiltgen, A.: Secure confirmation of sensitive transaction data in modern Internet banking services. In: World Congress on Internet Security, WorldCIS 2011, London, U.K., pp. 125–132 (2011)
Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel – An efficient defence against man-in-the-middle and malicious software attacks. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 75–91. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Koenig, R.E., Locher, P., Haenni, R. (2013). Attacking the Verification Code Mechanism in the Norwegian Internet Voting System. In: Heather, J., Schneider, S., Teague, V. (eds) E-Voting and Identify. Vote-ID 2013. Lecture Notes in Computer Science, vol 7985. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39185-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-39185-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39184-2
Online ISBN: 978-3-642-39185-9
eBook Packages: Computer ScienceComputer Science (R0)